Skip to main content

Expanse v2

Expanse v2 1.4.1 355518

Automate Attack Surface Management to identify Internet assets and quickly remediate misconfigurations with Expanse, a Palo Alto Networks company.

The Expanse Content Pack for Cortex XSOAR provides full coverage of the Expander and Behavior product capabilities from Expanse to allow SOCs to automate the defense of their Company's attack surface. The Integrations included in the Pack enable fetching and mirroring of Expanse Issues into Cortex XSOAR Incidents, and ingestion of Indicators (IPs, Domains and Certificates) referring to the corporate Network Perimeter as discovered by Expanse, a Palo Alto Networks company.

Through a powerful set of Playbooks, analysts can correlate the discovered information with data provided from internal security systems (such as Palo Alto Networks Cortex Data Lake, Prisma Cloud and Panorama, Active Directory, Splunk SIEM, etc.) to help pinpoint the right owners of assets and automate remediation.

What does this pack do?
  • Provides the Expanse v2 integration (for Expanse Expander and Behavior), which allows XSOAR to collect Expanse Issues and bi-directionally mirror them. Several commands are available to search, tag, and update Issues and Assets in Expanse. The integration also supports the Services API.
  • Provides a feed integration named Expanse Expander Feed, which is compatible with the Cortex XSOAR Threat Intel Management capabilities to retrieve and store discovered assets (IPs, IP Ranges, Domains, Certificates) in Cortex XSOAR for analysis and correlation.
  • Provides an Expanse Issue Incident Type with dedicated fields and layouts.
  • Provides a rich set of Playbooks and Subplaybooks that handle the investigation and remediation of Expanse Issues.
  • Provides Dashboards that display the Network perimeter as discovered by Expanse and the status of Expanse Issues.
How to use this pack?
  • After the Expanse API key is added in the Expanse v2 integration and the parameters are set, the Expanse issues will start getting mapped to Expanse Incident type and the Handle Expanse Incident Playbook will automatically be launched.
  • If you are only interested in Enrichment and Attribution, you can use the Handle Expanse Incident - Attribution Only Playbook instead, by assigning it to the Expanse Issue Incident Type.
Screenshots
  • Expanse Incidents Dashboard: The main Dashboard for all the Expanse Incidents.

    Expanse Incidents Dashboard

  • Expanse Incident Layout: The included default layout for Expanse Incidents.

    Expanse Incident Layout

  • Expanse Attribution Report: The report generated by the main playbook attribution stage after checking multiple log sources and Prisma Cloud environments.

    Expanse Attribution Report

  • Handle Expanse Incident - Remediation: An excerpt of the remediation stage of the main playbook. Note the different branches handling notifications, automatic network remediation and follow up Shadow IT investigation if the asset is marked as Shadow IT by the incident assignee.

    Handle Expanse Incident Remediation

Video

Expanse and Cortex XSOAR

PUBLISHER

Cortex XSOAR

INFO

CertificationRead more
Supported ByCortex XSOAR
CreatedDecember 23, 2020
Last ReleaseMay 9, 2021
Asset ManagementThreat Intelligence ManagementVulnerability Management
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.